<?php
/*********************** Makes use of two MySQL tables.
users: CREATE TABLE `users` (
`id` int(11) NOT NULL auto_increment,
`username` varchar(20) default NULL,
`password` varchar(40) default NULL,
`fullname` varchar(30) default NULL,
PRIMARY KEY  (`id`) ) TYPE=MyISAM
seeds: CREATE TABLE `seeds` (   `id` int(11) NOT NULL auto_increment,
`seed` timestamp(14) NOT NULL,
PRIMARY KEY  (`id`) ) TYPE=MyISAM 
*/
	
	//set up database variables
	$dbusername = "joshhughes22";
	$dbpass = "ellencallis";
	$dbhost = "localhost";
	$database = "joshhughes_com_-_football";
	
	// connect to mysql
	$mysql = mysql_connect($dbhost,$dbusername,$dbpass);
	// fail on database errors 
	if (!$mysql)
		die('false|Could not connect to MySQL');
	// connect to the database
	mysql_select_db($database, $mysql);

// one task of the server is to provide random values to hash with 
if ($_GET['task']=='getseed')
{	// insert a new row with default values
	mysql_query('INSERT INTO seeds VALUES()');
		
	// get the values from the row back
	$result = mysql_query('SELECT id, seed FROM seeds ORDER BY id DESC LIMIT 1');
	if (!$result)
		die('false|'.mysql_error());// fail on error
	
	$row = mysql_fetch_assoc($result);
	// only one row so take the first row
	echo($row['id'].'|'.$row['seed']); 
	// write back the data in form id|random_value 

}
else if ($_GET['task']=='checklogin')// the other task of the server is to check a username/password combination
{    
	// formulate query for username
	$sql = 'SELECT * FROM Users WHERE Username = \'' . mysql_real_escape_string($_GET['username']) . '\'';
	$result = mysql_query($sql);
		
	// fail on sql failure
	if (!$result)
		die('false|Could not connect to login database.  Please try again');
	    
	// get the first user with username in the table (should only be one)
	$user_row = mysql_fetch_assoc($result);    
	// if there isn't one
	if (!$user_row)
	{
		// then the username doesn't exist, but don't let the user know that this is the problem
		// rather inform them more vaguely that the combination is incorrect; prevents someone from
		// fishing for valid usernames
			die('false|Invalid username and password combination');
	}
    
	// formulate query for random timestamp for given id
	$sql = 'SELECT * FROM seeds WHERE id=' . (int)$_GET['id'];
	$result =  mysql_query($sql);    
	// die if no value for given id
	if (!$result)
		die('false|Unknown error (hacking attempt).');
	    
	// get the first (only) seed
	$seed_row = mysql_fetch_assoc($result);
    
	// fail if no row
	if (!$seed_row)
		die('false|Unknown error (hacking attempt).');
	    
	// if the md5 hashes are equal to those generated by the clientside js
	$insideHash = md5($user_row['Password']);
	$insideHash .= md5($seed_row['seed']);
	if ($user_row['Password'] == $_GET['hash'])
	{
		//set session save path
		session_save_path('../sessions');
		// Initialize a session. 
		session_start();
							 
		// If this is a new session ...
		if (!session_is_registered("count")) 
		{
			session_register("count", "start", "userID", "username","MadePlayoffs");                         
			$count = 0;
			$start = time();
			$userID = $user_row["ID"];
			$username = $user_row["Username"];
			$MadePlayoffs = $user_row["PlayOffs"];
		} 
		// logged in
			echo('true|' .  $user_row['Fname'] .' ' .  $user_row['Lname']);
		// now remove the random key that was made for this request
			mysql_query('DELETE FROM seeds WHERE id=' . (int)$_GET['id']);
	}
	else
	{	// not logged in.. incorrect password
		die('false|Invalid username and password combination');
	}
}
else if ($_GET['task']=='logout')// the other task of the server is to check a username/password combination
{
	//set session save path
	session_save_path('../sessions');
	// Initialize a session. 
	session_start();
	//End Session
	session_destroy();
	echo('true|Logged Out');
}
?> 